cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5408
Views
5
Helpful
4
Replies
ivanbarkic
Beginner

Restrict certain IP addresses for establishing IPSec

Is it possible on Cisco ASA 55xx to restrict (to filter) certain public IP addresses which would be THE ONLY addresses able to establish Remote Access IPSec VPN using Cisco VPN client? Let's assume that Cisco VPN client establishes VPN connection from fix public IP address (always the same).

So, I am not talking about ACL actions on VPN traffic. I'm asking about establishing IPSec tunnel and preventing some public IPs of even trying that.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
malshbou
Beginner

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

4 REPLIES 4
Marcin Latosiewicz
Cisco Employee

bsns-asa5505-19(config)# access-group IN in interface outside ?

configure mode commands/options:

  control-plane      Specify if rule is for to-the-box traffic

For example from:

http://blog.ipexpert.com/2011/01/05/asa-control-plane-access-list/

I'm not saying it's a smart thing to do, but it's a possibilty...

malshbou
Beginner

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

Hi,

thanks for the answer. That will do just fine.

If I put ssh 0 0 outside the mgmt traffic will still be able to hit outside interface even it is not permited in FILTER-VPN cp acl, right? I read that it takes precedence over cp acl.

Regards

Hi Ivan,

Yes, the "ssh 0 0 outside" overrides the control-plane ACL and allows the SSH connections to the ASA.

Actually this statement creates  the following implicit ACL to permit the SSH traffic:

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x732d57e8, priority=121, domain=permit, deny=false

        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0

        input_ifc=outside, output_ifc=identity

Hope this helps

---
Mashal Shboul

------------------ Mashal Shboul
Content for Community-Ad